CN105516128A - Detecting method and device of Web attack - Google Patents
Detecting method and device of Web attack Download PDFInfo
- Publication number
- CN105516128A CN105516128A CN201510889266.0A CN201510889266A CN105516128A CN 105516128 A CN105516128 A CN 105516128A CN 201510889266 A CN201510889266 A CN 201510889266A CN 105516128 A CN105516128 A CN 105516128A
- Authority
- CN
- China
- Prior art keywords
- web
- url
- daily record
- web daily
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a detecting method and device of a Web attack. The detecting method of the Web attack comprises the steps of dividing multiple to-be-processed Web logs according to a URL (Uniform Resource Locator) in each Web log to obtain Web log subsets which correspond to different URLs; carrying out the following processing respectively for the Web log subset which corresponds to each URL, including, selecting partial Web logs in each Web log subset, wherein the proportion of the selected Web logs in each Web log subset is less than or equal to a preset proportion upper limit, and establishing a normal behavior model corresponding to the URL based on the selected Web logs; and, for the Web log subset corresponding to each URL, carrying out abnormality detection for the unselected Web logs in the Web log subset which corresponds to the URL respectively based on the normal behavior model corresponding to the URL. According to the detecting method and device of the Web attack, attack detection and evidence collection after the attack can be carried out for the Web attack which is not discovered by applying a firewall.
Description
Technical field
The present invention relates to a kind of network safety filed, be specifically related to detection method and the device of a kind of Web attack.
Background technology
Current, the common application of 80% is all Web application, comprises the financial class application higher to security requirement.Web has become the application interactive interface of standard.Web is applied in and brings easily simultaneously, also becomes the object that hacker pays close attention to the most.The common attack for Web application comprises SQL (StructuredQueryLanguage, SQL) injection attacks, XSS (CrossSiteScripting, cross-site scripting attack), CSRF (Cross-siterequestforgery forges across station request) and the various Web attack pattern that may cause Web server denial of service.
Attack to defend various Web, processing mode in correlation technique normally disposes Web application firewall before Web application, it can carry out safety inspection to it before Web service access request is submitted to backstage Web server, if find containing Web attack attempt, then to block this Web service access request.But current Web application firewall many employing misuses detection mode detects various Web and attacks, misuse detection mode refers to by carrying out characteristic matching with intrusion feature database, to determine attack, its advantage is that rate of false alarm is low, shortcoming is that various Web attack signature is easily deformed, thus may detection be hidden, cause and fail to report; In addition, misapply detection cannot detect unknown Web and attack.
Method for detecting abnormality is then a kind of attack detection method being different from misuse and detecting.First it set up normal behaviour model for detected object, then, measures the deviation of object current behavior to be detected and normal behaviour model, if obviously departed from, then represents and abnormal behaviour detected, and this abnormal behaviour may be a kind of attack.Method for detecting abnormality advantage various unknown attack possible be detected, but its shortcoming also clearly, is exactly that rate of false alarm is high, many times cannot carry out reasonable dismissal to alarming result.
Web application firewall can only detect Web attack attempt, and the Web having hidden the detection of Web application firewall for those attacks, then can detect by carrying out safety analysis to Web daily record.But the Web attack detection method of current sing on web log analysis majority remains the misuse detection method adopted based on known attack feature, and rate of failing to report is high.
Summary of the invention
The technical problem to be solved in the present invention is the shortcoming how overcoming misuse detection and abnormality detection, and the Web that cannot be able to find Web application firewall attacks the attack detecting and evidence obtaining of carrying out afterwards.
In order to solve the problem, adopt following technical scheme.
A kind of Web attack detection method, comprising:
S110, for many pending Web daily records, to divide according to the uniform resource position mark URL in described Web daily record, obtain the Web daily record subset that different URL is corresponding;
S120, respectively following process is carried out for the Web daily record subset corresponding to each URL: choose described Web daily record sub-concentrated part Web daily record, aim at ratio shared in described Web daily record subset selected Web day and be less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record;
S130, for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL is corresponding, abnormality detection is carried out to the Web daily record be not selected in Web daily record subset corresponding to this URL.
Alternatively, the normal behaviour model that the Web daily record selected by described basis builds this URL corresponding comprises:
Based on the user input values of one or more user's input parameters that this URL in the Web daily record chosen is correlated with, build the normal data form of user's input parameter that this URL is correlated with respectively, the normal behaviour model that URL is corresponding is the set of the normal data form of user's input parameter that this URL is correlated with;
The described normal behaviour model corresponding based on this URL, carries out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL and comprises:
For the Web daily record that every bar is not selected, extract the user input values corresponding to one or more user's input parameters that this URL is correlated with, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception; When in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold, this Web daily record is defined as abnormal Web daily record.
Alternatively, one or more user's input parameters that described URL is relevant comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
Alternatively, also comprise after described judgement user input values exception:
To being judged to be abnormal user input values, this user input values being mated with Web intrusion feature database, identifying known Web and attacking.
Alternatively, the normal behaviour model that the Web daily record selected by described basis builds this URL corresponding comprises:
The misuse selected Web daily record being carried out to sing on web intrusion feature database detects, and the Web daily record comprising Web attack signature is screened out, and builds normal behaviour model corresponding to this URL based on remaining Web daily record.
A kind of Web attack detecting device, comprising:
Daily record sort module, for for many pending Web daily records, divides according to the uniform resource position mark URL in described Web daily record, obtains the Web daily record subset that different URL is corresponding;
Normal behaviour model learning module, for carrying out following process respectively for the Web daily record subset corresponding to each URL: choose described Web daily record sub-concentrated part Web daily record, aiming at ratio shared in described Web daily record subset selected Web day and being less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record;
Abnormality detection module, for for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL is corresponding, carries out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL.
Alternatively, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record comprises:
The user input values of one or more user's input parameters that described normal behaviour model learning module is correlated with based on this URL in the Web daily record chosen, build the normal data form of user's input parameter that this URL is correlated with respectively, the normal behaviour model that URL is corresponding is the set of the normal data form of user's input parameter that this URL is correlated with;
Described abnormality detection module, based on normal behaviour model corresponding to this URL, is carried out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL and is comprised:
The Web daily record that described abnormality detection module is not selected for every bar, extract the user input values corresponding to one or more user's input parameters that this URL is correlated with, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception; When in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold, this Web daily record is defined as abnormal Web daily record.
Alternatively, one or more user's input parameters that described URL is relevant comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
Alternatively, described device also comprises:
Misuse detection module, for being judged to be abnormal user input values, mates this user input values with Web intrusion feature database, identifies known Web and attacks.
Alternatively, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record comprises:
Described normal behaviour model learning module indicates described misuse detection module to detect the misuse that sing on web intrusion feature database is carried out in selected Web daily record, the Web daily record comprising Web attack signature is screened out, builds normal behaviour model corresponding to this URL based on remaining Web daily record.
The advantage of technical scheme of the present invention is: the advantage fully combining misuse detection and method for detecting abnormality, can detect that various known and unknown Web attacks, can when ex-post analysis Web application system security such as information security risk evaluation, the attack detecting and evidence obtaining of carrying out afterwards are attacked to the Web that front end Web application firewall cannot detect, and may find that various unknown Web attacks, thus can supplement as the one of Web application firewall is favourable, ensure the safety of Web application.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing is used to provide the further understanding to technical solution of the present invention, and forms a part for specification, is used from and explains technical scheme of the present invention, do not form the restriction to technical solution of the present invention with the embodiment one of the application.
Fig. 1 is the schematic flow sheet of the detection method that the Web of the embodiment of the present invention one attacks;
Fig. 2 is the schematic diagram of the checkout gear that the Web of the embodiment of the present invention one attacks.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in detail.
It should be noted that, if do not conflicted, each feature in the embodiment of the present invention and embodiment can be combined with each other, all within protection scope of the present invention.In addition, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
Embodiment one, a kind of Web attack detection method, as shown in Figure 1, comprise step S110 ~ S130:
S110, for many pending Web daily records, divide according to the URL (UniformResourceLocator, URL(uniform resource locator)) in described Web daily record, obtain the Web daily record subset that different URL is corresponding.
This step can comprise: for many pending Web daily records, first the URL in every bar Web daily record is extracted respectively, then according to URL, described many pending Web daily records are divided, the Web daily record comprising identical URL is divided in same Web daily record subset, thus obtains and different URL Web daily record one to one subset; Wherein, one or more Web daily record can be comprised in each described Web daily record subset.
Can also comprise after this step: get rid of the Web daily record subset that Web daily record number is less than the first predetermined quantity threshold value in advance, or, only subsequent step is carried out to the Web daily record subset that Web daily record number reaches the second predetermined quantity threshold value, that is: abnormality detection threshold condition is set, to the Web daily record subset not meeting this abnormality detection threshold condition (such as very few containing Web daily record), the misuse user input parameter relevant to URL that wherein every bar Web daily record is carried being carried out to sing on web intrusion feature database detects; Because when Web daily record is very few, the possibility of result of subsequent step S120, S130 process is incorrect.First, second predetermined quantity threshold value described or other abnormality detection threshold condition rule of thumb or can be tested and be determined.
S120, respectively following process is carried out for the Web daily record subset corresponding to each URL obtained in step S110:
Choose described Web daily record sub-concentrated part Web daily record as sample, aim at ratio shared in described Web daily record subset selected Web day and be less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record.
Wherein, described predetermined ratio can be set to be less than or equal to 50%; Have 96 Web daily records in such as Web daily record subset, predetermined ratio is 30%, then the Web daily record choosing less than 28 or 28 builds normal behaviour model as sample.
Wherein, can also regulation ratio lower limit or minimum number (that is: at least choosing how many) when choosing Web daily record, to ensure that the Web daily record number chosen can not be very few.
Wherein, can random selecting when choosing Web daily record, also can choose based on predetermined principle, such as: selected Web daily record is from the Web client of at least specifying number.
Wherein, the normal behaviour model that Web daily record selected by described basis builds this URL corresponding can comprise: the misuse selected Web daily record being carried out to sing on web intrusion feature database detects, the Web daily record comprising obvious Web attack signature is screened out, then builds normal behaviour model corresponding to this URL based on remaining Web daily record.
Wherein, described Web intrusion feature database can comprise the Web attack signature for identifying one or more known attacks following: SQL injection attacks, XSS attack, directory traversal, buffer overflow, sensitive document acquisition, OS order are injected.
Wherein, the normal behaviour model that Web daily record selected by described basis builds URL corresponding can comprise: based on the user input values of one or more user's input parameters that this URL in the Web daily record chosen is correlated with, the user input parameter relevant for this URL builds normal data form (the normal data form of the user input values namely desired by the web application of backstage), the set of the normal data form of user's input parameter that the normal behaviour model that URL is corresponding can be correlated with for this URL.Described user input values also can be called the parameter value of described user's input parameter, and such as user's input parameter is status, and user input values is ok.
The method of the present embodiment can also comprise: when building normal data form for certain user's input parameter, abandon building normal data form to this user's input parameter, but directly employing carries out Web attack detecting based on the misuse detection method of known Web intrusion feature database to this user's input parameter.If part cannot build normal data form in the relevant user's input parameter of URL, then in user's input parameter that the normal behaviour model that URL is corresponding can be correlated with for this URL, the set of the normal data form successfully constructed.
Wherein, one or more user's input parameters that URL is relevant can comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
S130, for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL constructed in step S120 is corresponding, abnormality detection is carried out to the remainder (that is: the Web daily record be not selected in step 120) in Web daily record subset corresponding to this URL, thus detects that the various Web that may exist in Web daily record attack.
Wherein, the described Web daily record to not being selected in Web daily record subset corresponding to this URL is carried out abnormality detection and can be comprised: the Web daily record be not selected for every bar, extract URL current behavior respectively, and the normal behaviour model corresponding with this URL previously built is compared, when the URL current behavior of a discovery Web daily record and the deviation of URL normal behaviour model larger time, expressing possibility, it is abnormal to detect Web, and this Web daily record is defined as abnormal Web daily record.
Wherein, described extraction URL current behavior, and the normal behaviour model corresponding to this URL previously built is compared and is comprised: extract the user input values corresponding to the relevant user's input parameter of this URL one or more from Web daily record, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception.
Wherein, when in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold (such as number meets or exceeds the predetermined abnormal number upper limit or proportion is more than or equal to the predetermined unnatural proportions upper limit etc. in the user input values of described Web daily record), then think that the deviation of the URL current behavior of this Web daily record and URL normal behaviour model is comparatively large, this Web daily record is defined as abnormal Web daily record.
Wherein, can also comprise after described step 130: the misuse Web daily record of the exception in all Web daily record subsets being carried out respectively to sing on web intrusion feature database detects, thus the Web daily record identifying this exception is a Web attack determined.
Detect abnormal after to carry out misapplying the object detected again be that the Web which kind of type Web daily record that mark is abnormal specifically belongs to attacks; If the Web daily record of an exception cannot be designated the Web attack determined, may be because the reasons such as attack signature distortion cause, the Web daily record of this exception can be designated abnormal attack in the case, wait for artificial further analysis; If found the attack signature be out of shape after manual analysis, the attack signature of this distortion can also be added described Web intrusion feature database.
Wherein, can also comprise after judgement user input values is abnormal: for being judged to be abnormal user input values, this user input values is mated, so that by various known Web attack recognition out with the Web intrusion feature database set up in advance.The execution details of the present embodiment is described with six exemplifying embodiments below.
Exemplifying embodiment 1, the introduction of this exemplifying embodiment extract the process of URL from Web daily record.
Described Web daily record can be the Web daily record of various common Web Application Server, includes but not limited to the access_log of Apache, the W3SVC journal file etc. of Microsoft IIS.The present embodiment can carry out safety analysis to the Web journal file of all its forms of identifiable design.Example is below a Web daily record and form description thereof of extracting from the journal file of IIS:
#Fields:datetimes-sitenames-computernames-ipcs-methodcs-uri-stemcs-uri-querys-portcs-usernamec-ipcs-versioncs(User-Agent)cs(Cookie)cs(Referer)cs-hostsc-statussc-substatussc-win32-statussc-bytescs-bytestime-taken
2008-12-1406:00:45W3SVC449144315GD-5JW2MLSORDNG123.232.97.202GET/download.aspid=14774&status=ok80-72.30.142.151HTTP/1.0Mozilla/5.0SID=CHBAGCNBKC;login=okay-music.jnnc.com200005516223609
For the IISWeb daily record of in above-mentioned example, the URL carried in the entry of this article of Web daily record, from the 7th field, is namely called the field value of cs-uri-stem.In this example embodiment, the value of cs-uri-stem field is "/download.asp ".
According to the step that URL classifies to Web daily record described in the present embodiment, according to this value from cs-uri-stem field, Web daily record is classified exactly, the Web daily record containing same URL is divided in same Web daily record subset.
The Web daily record of other form extracts URL with reference to upper example, repeats no more here.
Exemplifying embodiment 2, the introduction of this exemplifying embodiment extract the process of user's input parameter that URL is correlated with from Web daily record.
For the HTTP request that is sent by client or assailant, this request is except comprising a URL, also may carry user's input parameter that some receive from user side, described user's input parameter generally appears in Cookie and the URL query argument of HTTP request.These user's input parameters can be recorded in Web daily record by Web Application Server.For Microsoft IISWeb application server, these user's input parameters are respectively in cs (Cookie) and cs-uri-query field.For the IISWeb daily record as shown in exemplifying embodiment 1 example, the value that cs (Cookie) is corresponding is id=14774 & status=ok, and value corresponding to cs-uri-query field is SID=CHBAGCNBKC; Login=okay.Wherein, cs-uri-query value comprises two and to be separated by " & " and form is title and the right user's input parameter of value, be id by name and value is respectively 14774 values, and status by name and value are the name-value pair of ok.Cs (Cookie) value comprise two by "; " form separated is user's input parameter that title and value are right, be SID by name and value is respectively CHBAGCNBKC, and login by name and to be worth be the name-value pair of okay.Therefore, for this Web daily record in exemplifying embodiment 1 example, can extract four user's input parameters, title is respectively id, status, SID and login, and corresponding user input values is respectively " 14774 ", " ok ", " CHBAGCNBKC " and " okay ".The present embodiment is exactly will carry out normal behaviour modeling to the user input values corresponding to these user's input parameters, and then combination misuse detection and anomaly detection method identify the various known and unknown Web attack of carrying in these user's input parameters.
Under normal circumstances, the parameter may carrying user input data also may comprise the Body part of the HTTP request of POST type, they also by parameter name and value to forming, and to be separated by " & ".But for the HTTP request of POST type, its user input data carried in Body is not recorded in Web daily record.Therefore, the inventive method does not consider the Web attack condition that comprises in this part user's input parameter and parameter value.
Exemplifying embodiment 3, the introduction of this exemplifying embodiment carry out the process of normal behaviour modeling (that is: building normal data form) to user's input parameter.
By carrying out statistical analysis discovery to common Web service system, in actual Web service system, backstage web application requires that user's input parameter all meets certain data format, and a standard regular expression can be adopted to represent the data format of each user's input parameter.Such as, user's input parameter is numeric field or textview field, wherein, numeric field only allows input numeral, comprise integer and floating number, the common type with user's input parameter of this form comprises age, price, time and month etc., and it can represent with a regular expression.Textview field then allows input text (comprising ASCII text and Chinese character).For user's input parameter of text field type, statistics finds, most of textview field can be summarized as plain text or data list represents, plain text type is as identity card, Email address, telephone number, IP address, filename, URL, DNS, Boolean, ASCII word and Chinese language words; Data list type is then simple types data are combined to the table data obtained by certain compound mode, such as, adopts the data list of minus sign or branch splicing.These textview field can be described by a known regular expression.
In the present embodiment, the normal data form building process of described user's input parameter is, from select be used as learning sample Web daily record, extract the user input values list of this user's input parameter, and after (that is: getting rid of the Web daily record with Web attack signature) is cleaned to learning sample, predetermined data format learning algorithm is adopted to carry out unsupervised learning to this user input values list, or mated by the direct regular expression corresponding with the data format set up in advance, to identify the data format of this user's input parameter.Exemplifying embodiment 4 adopts second method to build the process of the normal data form of user's input parameter by providing.
Once the normal data form of certain user's input parameter is determined, just Web abnormality detection can be carried out based on this normal data form.
For user's input parameter that cannot describe with the simple data form of known format and data list form (such as, be used for receiving user's input parameter of user BBS content, or be used for receiving user's input parameter of user comment), that is: for user's input parameter that cannot build normal data form, normal data form can not be set up for it, but directly adopt the misuse detection method based on known Web attack signature to detect it.
Exemplifying embodiment 4, this exemplifying embodiment introduce the process based on the normal data form of user input values list builder user input parameter.
Be a kind of learning process based on the process of the normal data form of user input values list builder user input parameter described in this exemplifying embodiment, comprise the steps 41 ~ 43:
41, first, user's input parameter definition regular expression of often kind of given data form is respectively;
42, then for each user input values in user input values list, respectively it is mated with each predefined regular expression, if the matching regular expressions of the data format of it and certain type, then for the data format of the type increases by a ticket (because a user input values may match with the data format of multiple type, therefore, a user input values increases by 1 ticket may to the data format of multiple type separately); When each user input values of user input values list is voted complete, select to obtain votes and be more than or equal to the data format that the presets threshold value normal data form (being referred to as definitely to be dominant data type) as user's input parameter corresponding to this user input values; If there is not certain data format be definitely dominant under present case, then can the length of adding users input value list, until obtain the normal data form of at least one data format be definitely dominant as user's input parameter corresponding to this user input values.
If 43 still cannot extract by continue studying the data format be definitely dominant, (this user's input parameter does not probably have the data format that available regular expression describes, comment field in such as BBS), then represent that data format learns unsuccessfully, stop the normal data form building user's input parameter.
In order to ensure the accuracy of normal data form of the user's input parameter built, the user input values used when first at utmost must guarantee normal behaviour modeling pure.Method described in the present embodiment uses misuse detection method the Web daily record comprising Web attack to be got rid of outside learning sample.
Exemplifying embodiment 5, the introduction of this exemplifying embodiment carry out the process of abnormality detection based on the normal data form of user's input parameter.
The present embodiment is the normal data form that user's input parameter constructs its correspondence, and the normal data format set cooperation of user's input parameter that URL is correlated with is the normal behaviour model of this URL.Therefore, the key of abnormality detection is that the normal data form how being based upon user's input parameter structure is attacked to detect the Web that may carry in user input values.
Method described in the present embodiment is that the normal data form that user's input parameter builds comprises simple types and complicated type form two kinds.
For the data format of simple types, the present embodiment adopts regular expression direct representation, therefore, for user's input parameter that normal data form is simple types, abnormality detecting process is exactly extract to the user input values of user's input parameter from Web daily record, the matching regular expressions directly corresponding with user's input parameter by user input values, if the match is successful, be then normal data, mate unsuccessful, be then judged to exception to be detected.
For complex type data form, the present embodiment only considers the matching problem of data list.Data list can be simple types data list, also can be mixed type data list.Owing to not adopting regular expression directly data of description list, but described by the separator and data item defining data list, wherein each data item has corresponding data format respectively, this data format is the data format of simple types, therefore, for user's input parameter that normal data form is complex data type, abnormality detecting process just directly can not carry out matching regular expressions, but first must obtain list of data items to user input values by specifying separator carry out segmentation, and then check whether each data item meets the data format of the simple types of specifying, if a user input values splits the data format that each data item obtained meets the simple types of specifying, then judge that this user input values meets the normal data form of this user's input parameter, as long as a user input values has a data item not meet the data format of the simple types of specifying, be then judged to exception to be detected.
Be designated abnormal user input values for all, first method described in the present embodiment carries out abnormal mark to it, adopts the misuse detection method based on known Web attack signature to detect it simultaneously, to determine whether this exception is that certain concrete Web attacks.
Exemplifying embodiment 6, the introduction of this exemplifying embodiment carry out user input values misapplying the process detected.
Method described in the present embodiment is before building normal data form for user's input parameter, misuse can be carried out to the Web daily record being used for building normal behaviour model to detect, to wash the sample that those obviously comprise Web attack, guarantee the correctness of the user's input parameter form learnt.Simultaneously, abnormal user input values is designated for what detected by method for detecting abnormality, also adopt misuse detection method to detect it, to determine whether this exception is that certain concrete Web attacks, help Web safety officer to take treatment measures targetedly for such attack.
Method described in the present embodiment is before the misuse carrying out sing on web intrusion feature database detects, and need to build Web intrusion feature database, feature database contains the attack signatures such as SQL injection, cross site scripting, order injection, directory traversal, buffer overflow.About expression and the matching process of Web intrusion feature database, can with reference to the way of the intrusion detection product based on misuse detection of information security field.Here no longer describe in detail.
The Web attack detecting device of embodiment two, a kind of sing on web log analysis, as shown in Figure 2, comprising:
Daily record sort module 21, for for many pending Web daily records, divides according to the uniform resource position mark URL in described Web daily record, obtains the Web daily record subset that different URL is corresponding;
Normal behaviour model learning module 22, for carrying out following process respectively for the Web daily record subset corresponding to each URL: choose described Web daily record sub-concentrated part Web daily record, aiming at ratio shared in described Web daily record subset selected Web day and being less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record;
Abnormality detection module 23, for for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL is corresponding, carries out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL.
Wherein, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record can comprise:
The user input values of one or more user's input parameters that described normal behaviour model learning module is correlated with based on this URL in the Web daily record chosen, build the normal data form of user's input parameter that this URL is correlated with respectively, the normal behaviour model that URL is corresponding is the set of the normal data form of user's input parameter that this URL is correlated with.
Wherein, one or more user's input parameters that described URL is relevant can comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
Wherein, described abnormality detection module is based on normal behaviour model corresponding to this URL, and carrying out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL can comprise:
The Web daily record that described abnormality detection module is not selected for every bar, extract URL current behavior respectively, and the normal behaviour model corresponding with this URL previously built is compared, when the URL current behavior of a discovery Web daily record and the deviation of URL normal behaviour model larger time, this Web daily record is defined as abnormal Web daily record.
Wherein, described abnormality detection module extracts URL current behavior, and the normal behaviour model corresponding with this URL previously built is compared and can be comprised:
Described abnormality detection module extracts the user input values corresponding to one or more user's input parameters that this URL is correlated with from Web daily record, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception.
Wherein, when in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold (such as number meets or exceeds the predetermined abnormal number upper limit or proportion is more than or equal to the predetermined unnatural proportions upper limit etc. in the user input values of described Web daily record), then think that the deviation of the URL current behavior of this Web daily record and URL normal behaviour model is comparatively large, this Web daily record is defined as abnormal Web daily record.
Wherein, described device can also comprise:
Misuse detection module, for being judged to be abnormal user input values, mates this user input values with Web intrusion feature database, identifies known Web and attacks.
Wherein, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record can comprise:
Described normal behaviour model learning module indicates described misuse detection module to detect the misuse that sing on web intrusion feature database is carried out in selected Web daily record, the Web daily record comprising Web attack signature is screened out, builds normal behaviour model corresponding to this URL based on remaining Web daily record.
Wherein, the Web daily record selected by described normal behaviour model learning module is from the Web client of at least specifying number.
In an example of the present embodiment, described Web attack detecting device is when comprising misuse detection module, and the workflow of this device is as follows:
First, load Web daily record by daily record sort module, extract the URL in Web daily record, then according to URL value, Web daily record is divided, Web daily record identical for URL value is divided in same subset, thus obtains the Web daily record subset corresponding to different URL value; Then the Web daily record subset that obtains of classifying is given and be transferred to normal behaviour and build module and come for URL builds normal behaviour model.
After normal behaviour structure module receives Web daily record subset corresponding to each URL, a part of Web daily record will be chosen as normal behaviour model learning sample, then call misuse detection module to clean learning sample, call the normal behaviour model-learning algorithm described in exemplifying embodiment 4 afterwards and build URL normal behaviour model; After the success of normal behaviour model construction, the Web daily record subset sums normal behaviour model that URL is corresponding is all transferred to abnormality detection module, carries out Web abnormal detection.
Basis is the normal behaviour model that each URL builds by abnormality detection module, abnormality detection is carried out to the Web daily record subset corresponding to this URL, in every bar Web daily record from the Web daily record set that URL is corresponding, extract the current behavior of this URL, then mate with the normal behaviour model of described URL, just this Web daily record is designated exception when discovery cannot be mated, gives described misuse detection module by the Web daily record of this exception and be further processed.
After misuse detection module receives abnormal Web daily record, all user input values are extracted by from Web daily record, and it is mated with the Web intrusion feature database previously built, if the match is successful, then the Web daily record identifying this exception is once determine that the Web of type attacks.
The all or part of step that one of ordinary skill in the art will appreciate that in said method is carried out instruction related hardware by program and is completed, and described program can be stored in computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can use one or more integrated circuit to realize.Correspondingly, each module/unit in above-described embodiment can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Although the execution mode disclosed by the present invention is as above, the execution mode that described content only adopts for ease of understanding the present invention, and be not used to limit the present invention.Those of skill in the art belonging to any the present invention; under the prerequisite not departing from the spirit and scope disclosed by the present invention; any amendment and change can be carried out in the form implemented and details; but scope of patent protection of the present invention, the scope that still must define with appending claims is as the criterion.
Claims (10)
1. a Web attack detection method, comprising:
S110, for many pending Web daily records, to divide according to the uniform resource position mark URL in described Web daily record, obtain the Web daily record subset that different URL is corresponding;
S120, respectively following process is carried out for the Web daily record subset corresponding to each URL: choose described Web daily record sub-concentrated part Web daily record, aim at ratio shared in described Web daily record subset selected Web day and be less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record;
S130, for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL is corresponding, abnormality detection is carried out to the Web daily record be not selected in Web daily record subset corresponding to this URL.
2. the method for claim 1, is characterized in that, the normal behaviour model that the Web daily record selected by described basis builds this URL corresponding comprises:
Based on the user input values of one or more user's input parameters that this URL in the Web daily record chosen is correlated with, build the normal data form of user's input parameter that this URL is correlated with respectively, the normal behaviour model that URL is corresponding is the set of the normal data form of user's input parameter that this URL is correlated with;
The described normal behaviour model corresponding based on this URL, carries out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL and comprises:
For the Web daily record that every bar is not selected, extract the user input values corresponding to one or more user's input parameters that this URL is correlated with, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception; When in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold, this Web daily record is defined as abnormal Web daily record.
3. method as claimed in claim 2, is characterized in that:
One or more user's input parameters that described URL is relevant comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
4. method as claimed in claim 2, is characterized in that, also comprises after described judgement user input values is abnormal:
To being judged to be abnormal user input values, this user input values being mated with Web intrusion feature database, identifying known Web and attacking.
5. the method for claim 1, is characterized in that, the normal behaviour model that the Web daily record selected by described basis builds this URL corresponding comprises:
The misuse selected Web daily record being carried out to sing on web intrusion feature database detects, and the Web daily record comprising Web attack signature is screened out, and builds normal behaviour model corresponding to this URL based on remaining Web daily record.
6. a Web attack detecting device, is characterized in that, comprising:
Daily record sort module, for for many pending Web daily records, divides according to the uniform resource position mark URL in described Web daily record, obtains the Web daily record subset that different URL is corresponding;
Normal behaviour model learning module, for carrying out following process respectively for the Web daily record subset corresponding to each URL: choose described Web daily record sub-concentrated part Web daily record, aiming at ratio shared in described Web daily record subset selected Web day and being less than or equal to the predetermined ratio upper limit; Normal behaviour model corresponding to this URL is built according to selected Web daily record;
Abnormality detection module, for for the Web daily record subset corresponding to each URL, respectively based on the normal behaviour model that this URL is corresponding, carries out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL.
7. device as claimed in claim 6, it is characterized in that, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record comprises:
The user input values of one or more user's input parameters that described normal behaviour model learning module is correlated with based on this URL in the Web daily record chosen, build the normal data form of user's input parameter that this URL is correlated with respectively, the normal behaviour model that URL is corresponding is the set of the normal data form of user's input parameter that this URL is correlated with;
Described abnormality detection module, based on normal behaviour model corresponding to this URL, is carried out abnormality detection to the Web daily record be not selected in Web daily record subset corresponding to this URL and is comprised:
The Web daily record that described abnormality detection module is not selected for every bar, extract the user input values corresponding to one or more user's input parameters that this URL is correlated with, check whether each user input values meets the normal data form of user's input parameter that this user input values is corresponding in normal behaviour model corresponding to this URL respectively, if do not met, then judge that this user input values is as exception; When in a Web daily record, when being judged to be that the number of abnormal user input values or ratio are more than or equal to predetermined threshold, this Web daily record is defined as abnormal Web daily record.
8. device as claimed in claim 7, is characterized in that:
One or more user's input parameters that described URL is relevant comprise following any one or appoint several: this URL relevant one or more Cookie, and are attached to this URL one or more user's input parameters below.
9. device as claimed in claim 7, is characterized in that, also comprise:
Misuse detection module, for being judged to be abnormal user input values, mates this user input values with Web intrusion feature database, identifies known Web and attacks.
10. device as claimed in claim 9, it is characterized in that, the normal behaviour model that described normal behaviour model learning module builds this URL corresponding according to selected Web daily record comprises:
Described normal behaviour model learning module indicates described misuse detection module to detect the misuse that sing on web intrusion feature database is carried out in selected Web daily record, the Web daily record comprising Web attack signature is screened out, builds normal behaviour model corresponding to this URL based on remaining Web daily record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510889266.0A CN105516128B (en) | 2015-12-07 | 2015-12-07 | A kind of detection method and device of Web attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510889266.0A CN105516128B (en) | 2015-12-07 | 2015-12-07 | A kind of detection method and device of Web attacks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105516128A true CN105516128A (en) | 2016-04-20 |
| CN105516128B CN105516128B (en) | 2018-10-30 |
Family
ID=55723765
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510889266.0A Expired - Fee Related CN105516128B (en) | 2015-12-07 | 2015-12-07 | A kind of detection method and device of Web attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105516128B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
| CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
| CN107888602A (en) * | 2017-11-23 | 2018-04-06 | 北京白山耘科技有限公司 | A kind of method and device for detecting abnormal user |
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN108282517A (en) * | 2017-12-21 | 2018-07-13 | 福建天泉教育科技有限公司 | A kind of method and terminal of web services upgrading |
| CN109257393A (en) * | 2018-12-05 | 2019-01-22 | 四川长虹电器股份有限公司 | XSS attack defence method and device based on machine learning |
| CN110971603A (en) * | 2019-12-04 | 2020-04-07 | 四川虹微技术有限公司 | Abnormal flow detection method and system based on deep learning |
| CN112966264A (en) * | 2021-02-28 | 2021-06-15 | 新华三信息安全技术有限公司 | XSS attack detection method, device, equipment and machine-readable storage medium |
| CN114915479A (en) * | 2022-05-18 | 2022-08-16 | 中国科学院信息工程研究所 | Web attack phase analysis method and system based on Web log |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101077135B1 (en) * | 2009-10-22 | 2011-10-26 | 한국인터넷진흥원 | Apparatus for detecting and filtering application layer DDoS Attack of web service |
| CN102999572B (en) * | 2012-11-09 | 2015-11-04 | 同济大学 | User's behavior pattern mining system and method thereof |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN104601556B (en) * | 2014-12-30 | 2017-12-26 | 中国科学院信息工程研究所 | A kind of attack detection method and system towards WEB |
| CN104994091B (en) * | 2015-06-30 | 2018-04-27 | 东软集团股份有限公司 | Detection method and device, the method and apparatus of defence Web attacks of abnormal flow |
-
2015
- 2015-12-07 CN CN201510889266.0A patent/CN105516128B/en not_active Expired - Fee Related
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105915555B (en) * | 2016-06-29 | 2020-02-18 | 北京奇虎科技有限公司 | Method and system for detecting network abnormal behavior |
| CN105915555A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and system for detecting network anomalous behavior |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
| CN106778260B (en) * | 2016-12-31 | 2020-03-17 | 阿里巴巴(中国)有限公司 | Attack detection method and device |
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN108156130B (en) * | 2017-03-27 | 2020-12-08 | 上海观安信息技术股份有限公司 | Network attack detection method and device |
| CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
| CN107241352B (en) * | 2017-07-17 | 2020-01-21 | 浙江鹏信信息科技股份有限公司 | Network security event classification and prediction method and system |
| CN107888602A (en) * | 2017-11-23 | 2018-04-06 | 北京白山耘科技有限公司 | A kind of method and device for detecting abnormal user |
| CN108282517A (en) * | 2017-12-21 | 2018-07-13 | 福建天泉教育科技有限公司 | A kind of method and terminal of web services upgrading |
| CN109257393A (en) * | 2018-12-05 | 2019-01-22 | 四川长虹电器股份有限公司 | XSS attack defence method and device based on machine learning |
| CN110971603A (en) * | 2019-12-04 | 2020-04-07 | 四川虹微技术有限公司 | Abnormal flow detection method and system based on deep learning |
| CN110971603B (en) * | 2019-12-04 | 2022-03-08 | 四川虹微技术有限公司 | Abnormal flow detection method and system based on deep learning |
| CN112966264A (en) * | 2021-02-28 | 2021-06-15 | 新华三信息安全技术有限公司 | XSS attack detection method, device, equipment and machine-readable storage medium |
| CN114915479A (en) * | 2022-05-18 | 2022-08-16 | 中国科学院信息工程研究所 | Web attack phase analysis method and system based on Web log |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105516128B (en) | 2018-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105516128A (en) | Detecting method and device of Web attack | |
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| CN108200054B (en) | Malicious domain name detection method and device based on DNS (Domain name Server) resolution | |
| US9781139B2 (en) | Identifying malware communications with DGA generated domains by discriminative learning | |
| CN107154950B (en) | Method and system for detecting log stream abnormity | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| Pan et al. | Anomaly based web phishing page detection | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| CN110912890A (en) | Novel vulnerability attack detection system for intranet | |
| CN105138913A (en) | Malware detection method based on multi-view ensemble learning | |
| Layton et al. | Automatically determining phishing campaigns using the uscap methodology | |
| CN103166966B (en) | Identify the method to the unauthorized access request of website and device | |
| Goswami et al. | An Unsupervised Method for Detection of XSS Attack. | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| CN103118035A (en) | Website access request parameter legal range analysis method and device | |
| Kirchner | A framework for detecting anomalies in http traffic using instance-based learning and k-nearest neighbor classification | |
| CN105354494A (en) | Detection method and apparatus for web page data tampering | |
| Bhosale et al. | Data mining based advanced algorithm for intrusion detections in communication networks | |
| CN113965419B (en) | Method and device for judging attack success through reverse connection | |
| Massa et al. | A fraud detection system based on anomaly intrusion detection systems for e-commerce applications | |
| CN108683649A (en) | A kind of malice domain name detection method based on text feature | |
| CN111147490A (en) | Directional fishing attack event discovery method and device | |
| CN106973051A (en) | Set up method, device, storage medium and the processor of detection Cyberthreat model | |
| CN113542252A (en) | Detection method, detection model and detection device for Web attack | |
| Khan et al. | A dynamic method of detecting malicious scripts using classifiers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20181030 Termination date: 20191207 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |